Learn how to configure Strict-Transport-Security safely, choose max-age values, and roll out includeSubDomains and preload in stages.
8 min read • Website owners, DevOps, platform teams
Strict-Transport-Security tells browsers to use HTTPS for your domain for a fixed duration. This prevents protocol downgrade attacks and protects returning visitors from accidental HTTP links.
Without HSTS, a user can still be exposed on the first HTTP request if an attacker can interfere with network traffic. HSTS narrows that risk by making HTTPS sticky in the browser.
For production websites, use at least one year of max-age once your HTTPS setup is stable. Add includeSubDomains only after confirming every subdomain supports HTTPS.
Strict-Transport-Security: max-age=31536000; includeSubDomains
The most common issue is enabling includeSubDomains too early. Legacy or forgotten subdomains then become unavailable to users because browsers refuse HTTP fallback.
Another mistake is adding preload before operational readiness. Preload list removal is slow and can take time to propagate to users.